Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

SMS Fix for iPhone Available, Needs to Be Deployed Before Attacks Surface

Responding quickly to the SMS-based vulnerability to the iPhone demonstrated this week at the Black Hat conference in Las Vegas and first revealed earlier this month at a conference in Singapore, Apple released version 3.01 firmware for their fleet of mobile devices on Friday. The vulnerability research, performed by Charlie

WEBINAR:On-Demand

Responding quickly to the SMS-based vulnerability to the iPhone demonstrated this week at the Black Hat conference in Las Vegas and first revealed earlier this month at a conference in Singapore, Apple released version 3.01 firmware for their fleet of mobile devices on Friday.

The vulnerability research, performed by Charlie Miller and Collin Mulliner, demonstrated ways that an attacker could crash the connectivity or telephony subsystems of the iPhone through a series of invalid SMS messages, or even introduce exploit code to the device.

According to the limited information Apple provided about the fix, version 3.01 only addresses the SMS vulnerabilities and it apparently does not include other features or fixes at this time. Specifically, the Apple knowledgebase article says:

Further reading

"Available for: iPhone OS 1.0 through iPhone OS 3.0 Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue."

I've downloaded the new code via iTunes, finding the updated firmware (for the 3G and 3GS models) weighing in at 297.9 MB. After downloading, the install went smoothly and took about 10 minutes. In a quick scan around the device, I've yet to see any changes in the user interface other than an acknowledgment that the update was successful.

Given the potential severity of the SMS vulnerability now that the exploit has been discussed in a public forum, I would advise users and mobile administrators undertake the update as soon as possible. However, I feel that corporate administrators particularly will feel the pain of this update because of the lack of attention Apple has paid toward true enterprise management tools for the device.

While Apple has made some strides toward enterprise friendliness with version 2.0 of their profile tools - allowing administrators to push out certificates, usage policies, and VPN settings - Apple has done nothing to address remote firmware management on a device fleet.

BlackBerry administrators can turn to their BES servers to deploy critical firmware updates. Android and WebOS administrators (however few of those there may be at this time) can expect the carrier to deliver patches (albeit in a staggered and somewhat unpredictable fashion). Windows Mobile and Symbian administrators can turn to third party tools for the same functionality.

But iPhone administrators have to e-mail all their users to tell them to do it themselves - presuming the users have access to iTunes and some decent bandwidth - or run a time-inefficient depot station and demand the users bring the devices in for immediate upgrade. Neither solution is effective for large deployments because neither ensures the work will get done.

Because we haven't yet seen any in-the-wild attacks on the SMS vulnerabilities, time to patch may not be critically important in this particular instance. But quite possibly in the near future, Apple will find itself facing a critical vulnerability with a zero-day remote exploit in the wild, and it will find its delivery methods failing a most important segment of its customer base.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.